Missing DNSSEC key causes BIND process overload

Raymond Drew Walker Ray.Walker at nau.edu
Thu Jun 21 22:57:56 UTC 2012


Running BIND 9.9.0

Upon having some DNSSEC keys run out of activity with no active
replacements, we noticed some interesting behavior with the named
process...

When a zone signing key enters it's Inactive phase, the zone still loads
on startup:

19-Jun-2012 09:54:10.176 general: zone_timer: zone badzone.nau.edu/IN:
enter
19-Jun-2012 09:54:10.176 general: zone_maintenance: zone
badzone.nau.edu/IN: enter
19-Jun-2012 09:54:10.176 notify: zone badzone.nau.edu/IN: sending notifies
(serial 91416)
19-Jun-2012 09:54:10.177 general: zone badzone.nau.edu/IN: Key
badzone.nau.edu/RSASHA1/11985 missing or inactive and has no replacement:
retaining signatures.
19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN:
enter
19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN:
enter

Eventually we'll see failures on updating the zone:

Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating
zone 'badzone.nau.edu/IN': found no active private keys, unable to
generate any signatures
Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating
zone 'badzone.nau.edu/IN': RRSIG/NSEC/NSEC3 update failed: not found


This occurred to a few zones, but then something odd started happening...

The named process ramped up to +%100 of processor. Nothing in the named
logs indicated why this was happening... This caused SERVFAIL and other
timeouts on all kinds of operations on the machine.

Our initial solution was to make new keys available (keys were actually
created, just not put in place,) and the zones at issue should recover.

The zones at issue ended up requiring a manual re-sign to completely
resolve the issue.


Anyone have an explanation of why this would happen (named gobbling up
CPU, and also requiring manual resigning of the zones)?

Thanks in advance,

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University







More information about the bind-users mailing list